United Airlines Bug Bounty Doesn’t Always Lead to Quick Fix or Promised Rewards

Hacker in the action on his laptop computer

A computer analyst says it took the threat of public exposure for United Airlines to fix the cyber vulnerabilities he discovered.

When United Airlines started a “bug bounty program” in May of this year, the company hoped that rather than exploiting weaknesses in its computer systems, tech-savvy members of the public would instead be enticed to secretly report those security vulnerabilities in exchange for rewards of up to one million MileagePlus award points. According to a report by Computer World, United officials have been both loathe to pay the promised bounty and slow to fix the very bugs the bounty program was created to eliminate.

Participants in United’s bug bounty program were required to follow two very important rules: flight-sensitive computer networks, including dispatching, aircraft avionics and inflight entertainment systems, were strictly off limits; and publicly disclosing any bugs or cyber vulnerabilities that were discovered was also forbidden. Anyone who violated these rules would be booted from the program and become ineligible for any future bounty.

When computer security analyst, Randy Westergren discovered a bug in United’s reservation system, he says he was careful to stay in compliance with the two prime directives of the bounty program. Soon after the program started, Westergren officially reported a critical flaw that would allow a hacker to potentially “completely manage any aspect of a flight reservation using United’s website.”

Unfortunately, Westergren was not the first to report the bug to United and soon received a notice from the airline telling him he would not be getting the hoped-for bounty. Still, Westergren says he took some pride in knowing that the flaw he pointed out would soon be fixed.

However, Westergren says when he asked the airline to keep him updated on how his hard work was being put to use, the airline informed him that only the original whistle blower would be kept in the loop. The security expert began to suspect that the airline had no intention of fixing the bug.

With no evidence that United was taking the critical computer flaw seriously, Westergren threatened to go to the press with his story. He claims the airline then responded by reminding him if he shared his discovery, then he would be banned from participating in the bounty program.

Since the airline had already informed him that he would not be receiving the reward in any case, he made the decision to alert reporters about his findings related to the United Airlines Mobile App. Westergren believes that the company only fixed the issue after airline officials were contacted about the bug by media outlets, by then nearly six months after the computer security flaw was initially reported to the company.

[Photo: Getty]